09-27-2015 08:58 PM
Hi there,
We just have a issue on our VPN hub after a short internet outage. our site to site VPN hub is setup on a pear of cisco 3925 router. after outage we notice 3 remote site can not connect to our data centre anymore.
we have verified the phase 1 negotiation work ok. and looks like the phase 2 IPsec have got stack. no matter how we try clear the crypto isakmp sa. It still not helping. I also can not find any command to clear the IPSEC SA.
protected vrf: VRF_VPN
local ident (addr/mask/prot/port): (172.16.0.0/255.240.0.0/0/0)
remote ident (addr/mask/prot/port): (192.168.210.0/255.255.255.0/0/0)
current_peer <remote IP> port 500
PERMIT, flags={}
#pkts encaps: 481619, #pkts encrypt: 481619, #pkts digest: 481619
#pkts decaps: 780905, #pkts decrypt: 780905, #pkts verify: 780905
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: <Local IP>, remote crypto endpt.: 210.86.1.51
path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0.12
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
local crypto endpt.: <local IP>, remote crypto endpt.: <remote IP>
path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0.12
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
when we turn on debugging we see log below
8958079: Sep 28 16:54:46.590 NZDT: IPSEC(key_engine): got a queue event with 1 KMI message(s)
8958080: Sep 28 16:54:47.382 NZDT: IPSEC(validate_proposal_request): proposal part #1
8958081: Sep 28 16:54:47.382 NZDT: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= <Local IP>:0, remote= <remote IP>:0,
local_proxy= 172.16.0.0/255.240.0.0/256/0,
remote_proxy= 192.168.210.0/255.255.255.0/256/0,
protocol= ESP, transform= NONE (Tunnel-UDP),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
8958082: Sep 28 16:54:47.386 NZDT: IPSEC(key_engine): got a queue event with 1 KMI message(s)
IRERX017#
8958083: Sep 28 16:54:47.386 NZDT: IPSEC(crypto_ipsec_create_ipsec_sas): Map found VPN
IRERX017#
8958084: Sep 28 16:54:54.998 NZDT: IPSEC(validate_proposal_request): proposal part #1
8958085: Sep 28 16:54:54.998 NZDT: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= <Local IP>:0, remote= <remote ip>:0,
local_proxy= 10.0.0.0/255.0.0.0/256/0,
remote_proxy= 192.168.210.0/255.255.255.0/256/0,
protocol= ESP, transform= NONE (Tunnel-UDP),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
Does anyone see similar issue before. thanks in advance.
09-27-2015 09:55 PM
the phase 2 is not up as there are no SA's formed; the counters will still show up in show crypto ipsec sa output.
to clear the counters, you can run the following command: clear crypto sa counters
please attach the complete output of the phase 2 debugs.
09-28-2015 12:00 PM
Thanks Pjain,
I think I resort the issue now. I have to remove the crypto map and readd it to the interface. all remote VPN are working after that.
Thanks for the reply.
10-01-2015 10:20 PM
The command is
clear crypto ipsec sa peer a.b.c.d
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide